HTB Academy - SQLMAP ESSENTIALS - Case6 - Non-standard boundaries

Hello,
I’m trying to do the Case6 that requires me to set the correct values on --prefix and --suffix arguments but with no luck.

I tried also by using --level 5 and --risk 3 values hoping that the boundaries were there but of course the exercise pushes me to think or fuzz any possible boundary string.

The structure of my command is:

sqlmap ‘http://142.93.35.92:31459/case6.php?col=id’ -H ‘User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0’ -H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8’ -H ‘Accept-Language: en-US,en;q=0.5’ --compressed -H ‘DNT: 1’ -H ‘Connection: keep-alive’ -H ‘Upgrade-Insecure-Requests: 1’ -H ‘Sec-GPC: 1’ -H ‘Cache-Control: max-age=0’ -p col --prefix= --suffix= --level 5 --risk 3 --dbs -v 3

I used different strings for PREFIX and SUFFIX but I guess that they were already injected with that --level and --risk values.
For example, I tried to use:

–prefix="%’))" --suffix="-- -"
–prefix="’ SELECT * FROM users" --suffix="’-- "
–prefix="’" --suffix="-- -"
–prefix="’)" --suffix=";–+"
–prefix “’)” --suffix “AND (SELECT * FROM users”

with no luck.

How can I guess what could be the right boundaries (or atleast if I’m in a good way) if I cannot see the php code containing for example:

$query = “SELECT id,name,surname FROM users WHERE id LIKE ((’” . $_GET[“q”] . “’)) LIMIT 0,1”;

Should I “brute-force” the boundaries?

Thank you in advance

1 Like

Hello, I found a step forward. I noted if I use in the prefix the ` character, the webpage answers me with

SQL error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘`)’ at line 1

So, the query should have a structure like:

SELECT * FROM `users` WHERE `col = $id…

If I try to use -p col --prefix="%60+%3D+1" --suffix="+--+" --level 5 --risk 3 -v 3, sqlmap says me that the backend dbms looks like MySQL and now, during the UNION test it asks me also:

injection not exploitable with NULL values. Do you want to try with a random integer value for option ‘–union-char’?

I’m not sure if I’m on the right way, even if I cannot still find anything.

UPDATE:
since the error above returns right syntax to use near <query> ` )’ at line 1 (so it adds that `)), I can assume that the statement ends with `), so in the prefix I should place a (`. I tried with different prefixes as “` OR (`” but with no luck.

If I try manually to inject like this:

http://188.166.173.208:31728/case6.php?col=id OR (GROUP BY 1

SQL error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’ at line 1

So now, the error is near " character. If this assumption is correct, I guess I should not use --suffix argument… or maybe I’m just complicating the problem…

UPDATE: I found the flag! ^^

how did you get it i am stuck too myself

Hello @jydn879,
you should imagine how the query behind is. You have already id in the URL (because of col=id), so you must close it with the right char. Of course that id cannot stay there “alone”.

If you try to guess the possible SQL query behind, will be easy to get the solution.

Can you explain where did you get this from and how does it work, I’m badly stuck with this for 2 days now: --prefix="%60+%3D+1"

Does this equal to this somehow? --prefix="%’))"

EDIT: Figured it’s the URL encoding for " ’ = 1 ", I tried variations with %60 %28 = (’, but still can’t seem to get the thing right

Ok. So I’ve bashed my head on this for hours on. I’ve tried every possible permutation with the characters 1, =, ) and ’ but still can’t seem to get it right. I’ve also tried the permutations URL encoded. Care to give me a hand?

I suppose it needs a ') to close the brackets and the =1 to signify the ID being fetched, as in ')=1

Where am I getting it wrong?

Uhm, no. You should guess what is the SQL Query in the backend php file. Try to suppose and report here which SQL statements should be correct. If you write ')=1, you expect that the SQL query should have an opened bracket ( somewhere. And it is not the case. Just guess what could be another character used to close a statement.

That’s interesting. The hint literally says to use ‘`)’ but none of that works regardless whether I incorporate = (%3d) or 1 (%31),

There is also the question whether to use %60 as in `, %27 as in ', or ’ which translates to %19 or %E2%80%99 depending on the encoder/decoder.

Already finished the rest but this is really a pain in the a**.

Cheers for the help!

The answer or part of it is inside your last post.

Hello!

Can you give me some other tips? Already stuck here for hours.

Cheers

Hello!

Has anyone some tips how to continue?

I already figured out that the following query seems to be legit, because it doesnt throw an error but sadly there is no output.

id) AND (SELECT @@version

Any tips? Am i on the right way?

Cheers.

Hi Paul. For first, you should close the SQL statement with the right character and if I remember, id should be already in the URL so u dont need to insert. You must imagine what could be the entire SQL statement on the backend server.

Thanks, already got it now. I handled it way to complicated.

Can you please give me a hint I used every different prefix but still couldn’t find it.
Do I have to change something in the -u parameter too? Mine is sqlmap -u “http://157.245.33.77:30517/case6.php?col=id” …

No. The url is correct. You must change something on your prefix I guess

I got the flag yep, thank you.

1 Like

Ok. So I’ve bashed my head on this for hours on. I’ve tried every prossible permutation with the characters 1, =, ) and ’ but still can’t seem to get it right. I’ve also tried the permutations URL encoded. Care to give me a hand?

I suppose it needs a ') to close the brackets and the =1 to signify the ID being fetched, as in ')=1

Where am I getting it wrong?

Imagine what could be the SQL query on the backend. You know the parameter col is valorized as col=id, so, start from here for imagining what could be the prefix…

PS: no need to close with brackets.